Android package file
The Trojan may arrive as a package with one of the following names:
When the Trojan is installed, it requests permissions to perform the following actions:
- Check the phone's current state
- Open network connections
- Write to external storage devices
Once installed, the application will display a black icon with the text "testService".
When the Trojan is executed, it displays the message "Service Start OK".
The Trojan opens a back door and connects to port 54321 on the following domain:
The Trojan may then perform the following actions:
- Report phone information to the attacker
- Open a remote shell
- Browse the directory
- Upload a file
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":